On Fri, Dec 28, 2001 at 08:33:03AM -0500, Dave Reed wrote:
> The Linux box is no less secure if you it all properly configured and
> keep up with security updates. The Linksys routers are just simpler
> since by default they don't (as far as I know) listen for incoming
> connections.

Actually, I can argue the Linux box is more secure if you've done all
correctly, since we simply don't KNOW what's going on inside the LinkSys.
There has been one firmware exploit of which I'm aware.

> As I've said before, it's really a matter of whether you want a simple
> solution (Linksys router) or want to spend sometime learning about
> Linux networking.

There are also some other advantages to the Linux solution.  It's much
more flexible (and more complicated), and provides better logging
of events.

The down side, as noted, is that once you've got it running as the gateway
for the network, you're awfully reluctant to pull it down or upgrade--
anything that might break it.

The LinkSys, provided it's doing everything it's supposed to, is a
very good solution.  And it's affordability actually allows you to
establish a real, traditional recommended firewally configuration,
with a true bastion firewall (the LinkSys) going to the curtain, or
interior, firewall (the Linux box) that's a different kind of firewall.
Send the logs from the bastion to the interior and audit them--although
I don't know if the LinkSys can tell you it's under attack.  If it can,
then this fulfills the traditional function of a bastion firewall.
(Sacrificial, but scream for help while being killed).  Moreover, this gives
you a real, honest-to-Ghu DMZ.

Incidentally, Beware these silly imitation "DMZ ports" a lot of firewall
vendors, including LinkSys, are touting.  They're NOT.  A real DMZ is
nestled between two separate firewalls--this still gives you a single
point of failure/attack, the single firewall itself.  All this pseudo-DMZ
does is make the rules setup for an open port simpler.  Use it, if you
wish, but don't believe you're getting the protection of a DMZ.

Cheers,
-- 
        Dave Ihnat
        [EMAIL PROTECTED]



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to